In the function setText a javascript command is build via string concatenation.
If the user supplied string contains unescaped characters (e.g. ') this leads to the user supplied string being executed by the browser context. In most cases this leads to a crash of the javascript interpreter.
In the function setText a javascript command is build via string concatenation.
If the user supplied string contains unescaped characters (e.g.
'
) this leads to the user supplied string being executed by the browser context. In most cases this leads to a crash of the javascript interpreter.The same problem also applies to insertText and insertHTML.